Skip to content
This repository was archived by the owner on Mar 6, 2026. It is now read-only.

deps: bump the production-dependencies group with 6 updates#27

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-39f5cdaa54
Closed

deps: bump the production-dependencies group with 6 updates#27
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-39f5cdaa54

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Feb 2, 2026
edited
Loading

Bumps the production-dependencies group with 6 updates:

Package From To
@sentry/node 8.55.0 10.38.0
bcryptjs 2.4.3 3.0.3
csrf-csrf 3.2.2 4.0.3
dotenv 16.6.1 17.2.3
express 4.22.1 5.2.1
express-rate-limit 7.5.1 8.2.1

Updates @sentry/node from 8.55.0 to 10.38.0

Release notes

Sourced from @​sentry/node's releases.

10.38.0

Important Changes

  • feat(tanstackstart-react): Auto-instrument request middleware (#18989)

The sentryTanstackStart Vite plugin now automatically instruments middleware arrays in createFileRoute(). This captures performance data without requiring manual wrapping with wrapMiddlewaresWithSentry().

Other Changes

  • feat: Use v4.8.0 bundler plugins (#18993)
  • feat(browser): Add logs.metrics bundle (#19020)
  • feat(browser): Add replay.logs.metrics bundle (#19021)
  • feat(browser): Add tracing.replay.logs.metrics bundle (#19039)
  • feat(deps): bump import-in-the-middle from 2.0.1 to 2.0.6 (#19042)
  • feat(node): Add AI manual instrumentation exports to Node (#19063)
  • feat(wasm): initialised sentryWasmImages for webworkers (#18812)
  • fix(core): Classify custom AggregateErrors as exception groups (#19053)
  • fix(nextjs): Turn off debugID injection if sourcemaps are explicitly disabled (#19010)
  • fix(react): Avoid String(key) to fix Symbol conversion error (#18982)
  • fix(react): Prevent lazy route handlers from updating wrong navigation span (#18898)

... (truncated)

Changelog

Sourced from @​sentry/node's changelog.

10.38.0

Important Changes

  • feat(tanstackstart-react): Auto-instrument request middleware (#18989)

    The sentryTanstackStart Vite plugin now automatically instruments middleware arrays in createFileRoute(). This captures performance data without requiring manual wrapping with wrapMiddlewaresWithSentry().

Other Changes

  • feat: Use v4.8.0 bundler plugins (#18993)
  • feat(browser): Add logs.metrics bundle (#19020)
  • feat(browser): Add replay.logs.metrics bundle (#19021)
  • feat(browser): Add tracing.replay.logs.metrics bundle (#19039)
  • feat(deps): bump import-in-the-middle from 2.0.1 to 2.0.6 (#19042)
  • feat(node): Add AI manual instrumentation exports to Node (#19063)
  • feat(wasm): initialised sentryWasmImages for webworkers (#18812)
  • fix(core): Classify custom AggregateErrors as exception groups (#19053)
  • fix(nextjs): Turn off debugID injection if sourcemaps are explicitly disabled (#19010)
  • fix(react): Avoid String(key) to fix Symbol conversion error (#18982)
  • fix(react): Prevent lazy route handlers from updating wrong navigation span (#18898)

... (truncated)

Commits

Updates bcryptjs from 2.4.3 to 3.0.3

Release notes

Sourced from bcryptjs's releases.

v3.0.3

Bug fixes

  • Always yield to event loop before nextTick for async versions (#164) (1211e9a2213e0b3ee232a204b3ce899beebce31a)

v3.0.2

Bug fixes

  • Use upstream fix to emit interop helpers (28e510389374f5736c447395443d4a6687325048)

v3.0.1

Bug fixes

  • Separate ESM and UMD type definitions (e7055caf0c723cbcf8bc3f0784b8c30ee332380f)

v3.0.0

Breaking changes

  • Modernize project structure (2f45985738604c743c4b8cc8464e3e7d3e04c73d) The project now exports an ECMAScript module by default, albeit with an UMD fallback, ships with types, the dist/ directory no longer exists in version control, and Closure Compiler externs have been removed.
  • Generate 2b hashes by default (d36bfb42fa642b6d6986a84ce106a7110e5824db) This library was not affected by the bug that led to incrementing the bcrypt version from 2a to 2b, but nowadays most implementations use 2b, including the native bcrypt binding, so this change aligns with them. Existing hashes will continue to work, but test logic that generates hashes and compares them literally might need to be updated to account for the new default.

Features

  • Add helper to check for password input length (d5656b39e2e368c87724a312e4e454456a4e5d1b)

Other

  • Update publish workflow (2a9bea9e276e6be04dbd403f9695937788b3b10a)
  • Add note on using the ESM variant in the browser (e09eb9afb14170069aaea19631b763307ee7b480)
  • Update types (58333a1533dd53838e2697628f84b98d54a5c079)
  • Merge lint and test workflows (2e3b17659e8856696acfe3015631ce2989eb3084)
  • Fix tests (ec02e8a0ada7a8f6c71a91df164db8c25bbbb7b4)
  • Update legacy fallback to handle crypto dependency (9db275fa10b1b40da4a6844480d7f8ae8df27fb8)
  • Update lint workflow title (ac70ac57c2f99ad5639eddf54578e5fdd07b9c4c)
  • Adapt crypto module usage for ESM environments (574d690d4972bcebbd5ca07880a62abab9ae3c0b)
  • Format with prettier (e7465479282d8155852ce88d6407eccb14adc106)
  • Rename default branch to 'main' (548559d032d7dd5ac3e4e16d7afd87b36ebe96ca)
  • Update description to mention TypeScript support (4977df0849eaf8cad5b0d0b543fe452432a2d761)
  • Add stale action for issues and PRs (a84d4e45487df0972d8781feafa477d5db4c1dbd)
  • Fix typo (c8c9c01799bbc13092fcbb20cfab4d9015d14c61)
  • Fix Node.js version in CI (1b54cc48d4120b50e1d9058e5a67f326102fd744)

Backlog from v2

  • Added externs to .npmignore (#124) (7e2e93af99df2952253f9cf32db29aefa8f272f7) The npm package does not need externs as it is needed only for closure compiler. Added it in .npmignore since bcryptjs overrides global module and process in WebStorm IDE.
  • Make sure the bin script uses LF (684fac6814a81d974c805a15e22fd69922c7ca6e)
  • Post-merge; Clean up a bit (b09f7f266a7015456b7b36deeb026dc636f64542)

... (truncated)

Commits
  • 1211e9a fix: Always yield to event loop before nextTick for async versions (#164)
  • 28e5103 fix: Use upstream fix to emit interop helpers
  • e7055ca fix: Separate ESM and UMD type definitions
  • 2a9bea9 Update publish workflow
  • d5656b3 Add helper to check for password input length
  • e09eb9a Add note on using the ESM variant in the browser
  • 58333a1 Update types
  • 2e3b176 Merge lint and test workflows
  • ec02e8a Fix tests
  • 9db275f Update legacy fallback to handle crypto dependency
  • Additional commits viewable in compare view

Updates csrf-csrf from 3.2.2 to 4.0.3

Changelog

Sourced from csrf-csrf's changelog.

4.0.3 (2025-05-27)

generateCsrfToken will now always check if the existing token is valid before returning it. This validation is only derived from the request cookie, this way GET requests are not expected to include the CSRF token to ensure token reuse, this was a bug and not the intended/expected behavior.

If the CSRF token container in the request is somehow invalid when generateCsrfToken is called, this will be silently ignored and a new valid CSRF token will be generated and returned. If validateOnReuse is set to true, an error will be thrown instead.

Bug Fixes

  • validateOnReuse incorrectly throws (26b3dd6)

4.0.2 (2025-05-09)

Bug Fixes

4.0.1 (2025-05-08)

Bug Fixes

  • correctly skip CSRF token validation when validateOnReuse is false (bcaf1c3)

4.0.0 (2025-04-27)

⚠ BREAKING CHANGES

This list may not be an exhaustive list of breaking changes, for more information consult the version 3 -> 4 upgrade guide and the updated configuration documentation in the README.

  • Token generation now uses createHmac, the format has changed significantly, see the CSRF token format section of the upgrade guide.
  • getSessionIdentifier is now required and must return a unique identifier per-request (and per-session) - this is an essential part of CSRF token security
  • getTokenFromRequest renamed to getCsrfTokenFromRequest
  • generateToken renamed to generateCsrfToken
  • overwrite and validateOnReuse parameters for generateCsrfToken have been merged into a single object parameter which also accepts cookieOptions: generateCsrfToken(req, res, options);
  • Default value for validateOnReuse is now false
  • Default value for cookieOptions.sameSite is now strict
  • cookieOptions.signed is no longer available, CSRF tokens are inherently signed, this is redundant
  • delimiter option removed, csrfTokenDelimiter and messageDelimiter are now used for the respective purpose
  • signed option in cookieOptions config option removed (redundant), csrf tokens generated by csrf-csrf are inherently signed
  • size config option now sets the size of the message used to construct the hmac, now defaults to 32 instead of 64, this is combined with the return value of getSessionIdentifier to construct the hmac payload
  • Type CsrfTokenCookieOverrides renamed to CsrfTokenCookieOptions
  • Type CsrfTokenCreator renamed to CsrfTokenGenerator
  • Type doubleCsrfProtection renamed to DoubleCsrfProtection
  • Type RequestMethod renamed to CsrfRequestMethod
  • Type CsrfIgnoredMethods renamed to CsrfIgnoredRequestMethods

Features

... (truncated)

Commits

Updates dotenv from 16.6.1 to 17.2.3

Changelog

Sourced from dotenv's changelog.

17.2.3 (2025-09-29)

Changed

  • Fixed typescript error definition (#912)

17.2.2 (2025-09-02)

Added

  • 🙏 A big thank you to new sponsor Tuple.app - the premier screen sharing app for developers on macOS and Windows. Go check them out. It's wonderful and generous of them to give back to open source by sponsoring dotenv. Give them some love back.

17.2.1 (2025-07-24)

Changed

  • Fix clickable tip links by removing parentheses (#897)

17.2.0 (2025-07-09)

Added

  • Optionally specify DOTENV_CONFIG_QUIET=true in your environment or .env file to quiet the runtime log (#889)
  • Just like dotenv any DOTENV_CONFIG_ environment variables take precedence over any code set options like ({quiet: false})
# .env
DOTENV_CONFIG_QUIET=true
HELLO="World"
// index.js
require('dotenv').config()
console.log(`Hello ${process.env.HELLO}`)
$ node index.js
Hello World
or
$ DOTENV_CONFIG_QUIET=true node index.js

17.1.0 (2025-07-07)

Added

  • Add additional security and configuration tips to the runtime log (#884)
  • Dim the tips text from the main injection information text

... (truncated)

Commits

Updates express from 4.22.1 to 5.2.1

Release notes

Sourced from express's releases.

v5.2.1

What's Changed

[!IMPORTANT]
The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

Full Changelog: expressjs/express@v5.2.0...v5.2.1

v5.2.0

Important: Security

What's Changed

... (truncated)

Changelog

Sourced from express's changelog.

5.2.1 / 2025-12-01

  • Revert security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
    • The prior release (5.2.0) included an erroneous breaking change related to the extended query parser. There is no actual security vulnerability associated with this behavior (CVE-2024-51999 has been rejected). The change has been fully reverted in this release.

5.2.0 / 2025-12-01

  • Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)
  • deps: body-parser@^2.2.1
  • A deprecation warning was added when using res.redirect with undefined arguments, Express now emits a warning to help detect calls that pass undefined as the status or URL and make them easier to fix.

5.1.0 / 2025-03-31

  • Add support for Uint8Array in res.send()
  • Add support for ETag option in res.sendFile()
  • Add support for multiple links with the same rel in res.links()
  • Add funding field to package.json
  • perf: use loop for acceptParams
  • refactor: prefix built-in node module imports
  • deps: remove setprototypeof
  • deps: remove safe-buffer
  • deps: remove utils-merge
  • deps: remove methods
  • deps: remove depd
  • deps: debug@^4.4.0
  • deps: body-parser@^2.2.0
  • deps: router@^2.2.0
  • deps: content-type@^1.0.5
  • deps: finalhandler@^2.1.0
  • deps: qs@^6.14.0
  • deps: server-static@2.2.0
  • deps: type-is@2.0.1

5.0.1 / 2024-10-08

5.0.0 / 2024-09-10

  • remove:
    • path-is-absolute dependency - use path.isAbsolute instead
  • breaking:
    • res.status() accepts only integers, and input must be greater than 99 and less than 1000
      • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
      • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
    • deps: send@1.0.0

... (truncated)

Commits

Updates express-rate-limit from 7.5.1 to 8.2.1

Release notes

Sourced from express-rate-limit's releases.

v8.2.1

You can view the changelog here.

v8.2.0

You can view the changelog here.

v8.1.0

You can view the changelog here.

v8.0.1

You can view the changelog here.

v8.0.0

You can view the changelog here.

Commits
  • fe1604d 8.2.1
  • b11c05b Fix: don't warn for extra config from express-slow-down (#580)
  • 3734733 8.2.0
  • 962d737 feat: Unknown Options validation check (#578)
  • 992c15c chore(deps-dev): bump the development-dependencies group with 3 updates (#579)
  • 449a28a chore(deps-dev): bump the development-dependencies group across 1 directory w...
  • ceaff6f chore(deps-dev): bump @​biomejs/biome from 2.2.5 to 2.2.6 (#574)
  • 4fccb9e chore(deps-dev): bump lint-staged from 16.2.4 to 16.2.5 (#573)
  • b597770 Rework dependabot grouping
  • 03e8336 chore(deps-dev): bump mintlify from 4.2.114 to 4.2.175 (#572)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
deps: bump the production-dependencies group with 6 updates
d9750a3 
Bumps the production-dependencies group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [@sentry/node](https://github.com/getsentry/sentry-javascript) | `8.55.0` | `10.38.0` |
| [bcryptjs](https://github.com/dcodeIO/bcrypt.js) | `2.4.3` | `3.0.3` |
| [csrf-csrf](https://github.com/Psifi-Solutions/csrf-csrf) | `3.2.2` | `4.0.3` |
| [dotenv](https://github.com/motdotla/dotenv) | `16.6.1` | `17.2.3` |
| [express](https://github.com/expressjs/express) | `4.22.1` | `5.2.1` |
| [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) | `7.5.1` | `8.2.1` |


Updates `@sentry/node` from 8.55.0 to 10.38.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@8.55.0...10.38.0)

Updates `bcryptjs` from 2.4.3 to 3.0.3
- [Release notes](https://github.com/dcodeIO/bcrypt.js/releases)
- [Commits](dcodeIO/bcrypt.js@2.4.3...v3.0.3)

Updates `csrf-csrf` from 3.2.2 to 4.0.3
- [Changelog](https://github.com/Psifi-Solutions/csrf-csrf/blob/main/CHANGELOG.md)
- [Commits](https://github.com/Psifi-Solutions/csrf-csrf/commits)

Updates `dotenv` from 16.6.1 to 17.2.3
- [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md)
- [Commits](motdotla/dotenv@v16.6.1...v17.2.3)

Updates `express` from 4.22.1 to 5.2.1
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@v4.22.1...v5.2.1)

Updates `express-rate-limit` from 7.5.1 to 8.2.1
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v7.5.1...v8.2.1)

---
updated-dependencies:
- dependency-name: "@sentry/node"
  dependency-version: 10.38.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: bcryptjs
  dependency-version: 3.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: csrf-csrf
  dependency-version: 4.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: dotenv
  dependency-version: 17.2.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: express
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
- dependency-name: express-rate-limit
  dependency-version: 8.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Feb 2, 2026

Labels

The following labels could not be found: dependencies, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Feb 9, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Feb 9, 2026
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/production-dependencies-39f5cdaa54 branch February 9, 2026 13:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants